If you want to succeed at security, you need to look at the winners

One of the repeated security stories you hear time after time are cases of failing. Usually it’s a story of a data compromise, and the more egregious it is, the better the story is. There’s no doubt that we can learn from others’ failures. But failure doesn’t tell you how to succeed. It only tells you how not to fail.

During CTO of Tripwire Gene Kim’s portion of the panel discussion, “Proving the Worth of Security Metrics” (read my summary and watch the pre-debate with the panelists) he talked about some studies Tripwire has done talking about companies who have succeeded in security.

I asked Kim to talk about that, and also what were the characteristics of a company that made them succeed. In general, he said it’s about actually carrying through your security plan. Successful companies worry about the supervision of the controls, not just the presence or absence of them.